Many countries and regions around the world are demanding 'data portability' where citizens can transfer their personal data between online service providers. It is already a legal requirement in the European Union because of the General Data Protection Regulation 4 (GDPR), a regulation on data and privacy. A new data portability provision in California will come into effect in 2020. Mandates around portability are expected in countries including India, Singapore, Australia, and Hong Kong.
Facebook appears to have warmed up to the idea but has raised several questions in a white paper, recently published - Charting a way forward: Data portability and privacy. The paper, written by Erin Egan, Vice President and Chief Privacy Officer, Policy, at Facebook, states that data portability helps people control their data and choose the services that best meet their needs. "At the same time, portability can present challenges to safeguarding privacy interests".
The white paper, Egan argues, is aimed at seeking feedback from stakeholders on "how to build portability in a way that empowers people and fosters competition while maintaining their trust in online services". Here are some of the hard questions he raises.
Which data should be portable?
There are all kinds of data but there appears to be ambiguity about what sort of data is portable. There is operational complexity in asking service providers to port every data. The white paper says that "it seems clear that people should be able to transfer data such as the photos they upload to a service or the posts they make to a social network. It's less clear what other data should be included". In the context of online service providers, other data includes information such as search history, location data, activity logs, and information mined on the basis of the uploaded data among others.
"Another question is whether there are cases in which the burden of making data portable outweighs the person's interest in exporting it. For example, a service's data about a person's use of a service could include a list of every page or piece of content the person has viewed within a certain period, every link he or she has clicked on, and every notification he or she has received. Service providers often keep logs of this information for periods of time, but the process of making this log data portable could be challenging, and the benefits to the user might not always be obvious. Would it be useful, for example, to be able to export a list of all the links you have clicked on Facebook within a certain period? Or an archive of every ad you've seen while scrolling through News Feed?" the white paper asks.
"Given that portability is partly intended to encourage competition and the emergence of new services, we should consider these questions in light of the operational burden they would impose on service providers with fewer resources than companies like Facebook," it adds.
Whose data should be portable?
In these days of shared experiences, it is not clear if your data is strictly yours. A photograph you uploaded and want ported could include images of a second or third person. What about their rights and controls?
"It is sometimes difficult to delineate whose data should be transferred in response to a data portability request. We have found this to be particularly true for Facebook, a core function of which is to allow users to connect with other people and create shared experiences. And the ability to transfer data about your contacts-or friends- can raise especially challenging privacy issues," Egan writes.
How should privacy be protected?
Laws requiring data transfers are doing the rounds but online service providers have not been guided on how to protect privacy during the transfers. "Stakeholders have raised concerns about the privacy and security risks of portability tools, and about the lack of clarity from policymakers and regulators about what is expected of transferring entities. More clarity on these points is key because in order for data portability to enhance people's control over their data, users should be able to trust that their data will be handled responsibly during and after the transfer," the white paper stresses.
Who is responsible if the data is misused?
The paper adds that people and service providers need clarity on who is responsible for processing and protecting data before, during, and after a user-requested data transfer. "Regulators have taken the position that platforms like Facebook may be responsible for ensuring that data is protected following certain user-requested transfers of data to third parties. Is that the case when it comes to data portability requests?" the paper asks.
The guidance, in some cases, appears to be clear. Before and during any data transfer, the transferring service provider is responsible for securing the transmission. Post the transfer, the transferring service provider is not responsible for the processing of the data by the recipient company. "But there are clearly some circumstances in which policymakers and regulators expect transferring entities to maintain responsibility even after the transfer," the white paper says.
More clarity by regulators on all the above will help companies such as Facebook build better portability tools and ensure that portability is implemented "in a privacy-protective way".